Skip to content
Threat Feed
critical advisory updated

VMware Server-Side Template Injection Attempt (CVE-2022-22954)

An attacker attempts to exploit CVE-2022-22954, a server-side template injection vulnerability in VMware Workspace ONE Access and Identity Manager, by sending a crafted HTTP GET request containing malicious parameters to achieve remote code execution.

What's new

This threat brief addresses potential exploitation attempts targeting CVE-2022-22954, a server-side template injection vulnerability affecting VMware Workspace ONE Access (Access) and Identity Manager (vIDM). This vulnerability allows a remote attacker to execute arbitrary code on the server. The attack is initiated through malicious HTTP GET requests containing specific parameters designed to exploit the template injection flaw. This activity is significant because successful exploitation can lead to complete system compromise, unauthorized access, and the execution of arbitrary commands, making it critical for defenders to identify and mitigate these attempts. The vulnerability was disclosed in early 2022, and proof-of-concept exploits are publicly available, increasing the risk of widespread exploitation attempts.

Attack Chain

  1. The attacker identifies a vulnerable VMware Access or vIDM instance.
  2. The attacker crafts a malicious HTTP GET request targeting a specific endpoint (potentially involving deviceudid).
  3. The malicious GET request includes payload strings such as freemarker.template.utility.ObjectConstructor or java.lang.ProcessBuilder within the URL to trigger template injection.
  4. The vulnerable application processes the crafted request without proper sanitization, interpreting the payload as a template instruction.
  5. The template engine executes the injected code, allowing the attacker to execute arbitrary commands on the server.
  6. The attacker leverages the initial code execution to establish persistence, potentially by writing a backdoor to disk.
  7. The attacker escalates privileges to gain root or SYSTEM access.
  8. The attacker moves laterally within the network, compromising other systems and exfiltrating sensitive data.

Impact

Successful exploitation of CVE-2022-22954 can lead to complete compromise of the affected VMware Access or vIDM server. This includes unauthorized access to sensitive data, the ability to execute arbitrary commands, and the potential for lateral movement within the network. Organizations using vulnerable versions of VMware products are at risk of data breaches, service disruption, and reputational damage. Public exploits have been developed, increasing the likelihood of widespread attacks.

Recommendation

  • Deploy the Sigma rule Detect VMware CVE-2022-22954 Exploitation Attempts to your SIEM to identify malicious HTTP GET requests (logsource: webserver, product: linux).
  • Investigate any alerts generated by the Sigma rule, focusing on systems accessing the affected VMware instances.
  • Apply the official VMware patch for CVE-2022-22954 immediately to remediate the vulnerability (reference: https://www.vmware.com/security/advisories/VMSA-2022-0011.html).
  • Monitor web server logs for unusual URL patterns containing deviceudid in combination with Java-related keywords, even if the Sigma rule does not trigger (logsource: webserver, product: linux).
  • Implement network segmentation to limit the impact of a successful compromise.

Detection coverage 2

Detect VMware CVE-2022-22954 Exploitation Attempts

critical

Detects attempts to exploit CVE-2022-22954, a server-side template injection vulnerability in VMware Workspace ONE Access and Identity Manager via HTTP GET requests.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detect VMware CVE-2022-22954 Post-Exploitation Webshell

high

Detects potential webshell creation as a result of CVE-2022-22954 exploitation by looking for file creation events in common web directories

sigma tactics: persistence techniques: T1505.003 sources: file_event, linux

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

command

5

hash_custom

1

url

TypeValue
urlhttps://sploitus.com/exploit?id=555C3224-9482-5B98-BCBB-E11172E89770
commandcat /etc/passwd
hash_custom-1250474341
hash_custom-713727389
hash_custom-1987733375
hash_custom1459735704
hash_custom198112565